ACL (Access Control List) filters traffic as it passes through a switch, and permits or denies packets crossing specified interfaces or VLANs. It accurately identifies and processes the packets based on the ACL rules. In this way, ACL helps to limit network traffic, manage network access behaviors, forward packets to specified ports and more.

To configure ACL, follow these steps:

1)Configure a time range during which the ACL is in effect.

2)Create an ACL and configure the rules to filter different packets.

3)Bind the ACL to a port or VLAN to make it effective.

Configuration Guidelines

A packet “matches” an ACL rule when it meets the rule’s matching criteria. The resulting action will be either to “permit” or “deny” the packet that matches the rule.

If no ACL rule is configured, the packets will be forwarded without being processed by the ACL. If there is configured ACL rules and no matching rule is found, the packets will be dropped.

2ACL Configuration

2.1Using the GUI

2.1.1Configuring Time Range

Some ACL-based services or features may need to be limited to take effect only during a specified time period. In this case, you can configure a time range for the ACL. For details about Time Range configuration, please refer to Managing System.

2.1.2Creating an ACL

You can create different types of ACL and define the rules based on source MAC or IP address, destination MAC or IP address, protocol type, port number and so on.

Packet Content ACL: Packet Content ACL analyzes and processes data packets based on 4 chunk match conditions, each chunk can specify a user-defined 4-byte segment carried in the packet’s first 128 bytes. Only T2600G series support this feature.

The supported ACL type and ID range varies on different switch models. Please refer to the on-screen information.

2.1.3Configuring ACL Rules

Note:

Every ACL has an implicit deny all rule at the end of an ACL rule list. That is, if an ACL is applied to a packet and none of the explicit rules match, then the final implicit deny all rule takes effect and the packet is dropped.

The created ACL will be displayed on the SECURITY > ACL > ACL Config page.

Figure 2-2 Editing ACL

Click Edit ACL in the Operation column. Then you can configure rules for this ACL.

It should not be the same as any current rule ID in the same ACL. For the convenience of inserting new rules to an ACL, you should set the appropriate interval between rule IDs.

If you select Auto Assign, the rule ID will be assigned automatically by the system and the default increment between neighboring rule IDs is 5.

Operation

Select an action to be taken when a packet matches the rule.

Permit: To forward the matched packets.

Deny: To discard the matched packets.

S-MAC/Mask

Enter the source MAC address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.

D-MAC/Mask

Enter the destination MAC address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.

VLAN ID

Enter the ID number of the VLAN with which packets will match. The valid range is 1-4094. If the ACL is bound to a VLAN, the system requires the VLAN ID of a packet to match the ID of the VLAN instead of the ID listed here.

EtherType

Specify the EtherType to be matched using 4 hexadecimal numbers.

User Priority

Specify the User Priority to be matched.

Time Range

Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM > Time Range page.

Logging

Enable Logging function for the ACL rule. Then the times that the rule is matched will be logged every 5 minutes and a related trap will be generated. You can refer to Total Matched Counter in the ACL Rules Table to view the matching times.

2)In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored.

Figure 2-5 Configuring Mirroring

3)In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected.

Figure 2-6 Configuring Redirect

Note:

In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port.

4)In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters.

Figure 2-7 Configuring Rate Limit

Rate

Specify the transmission rate for the matched packets.

Burst Size

Specify the maximum number of bytes allowed in one second.

Out of Band

Select the action for the packets whose rate is beyond the specified rate.

None: The packets will be forwarded normally.

Drop: The packets will be discarded.

Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS, T1600G-28PS, T1600G-52TS v4 and T1600G-52PS v4 do not support this option.

5)In the Policy section, enable or disable the QoS Remark feature for the matched packets. With this option enabled, configure the related parameters, and the remarked values will take effect in the QoS processing on the switch.

Figure 2-8 Configuring QoS Remark

DSCP

Specify the DSCP field for the matched packets. The DSCP field of the packets will be changed to the specified one.

Local Priority

Specify the local priority for the matched packets. The local priority of the packets will be changed to the specified one.

802.1p Priority

Specify the 802.1p priority for the matched packets. The 802.1p priority of the packets will be changed to the specified one.

6)Click Apply.

Configuring IP ACL Rule

Click Edit ACL for an IP ACL entry to load the following page.

Figure 2-9 Configuring the IP ACL Rule

In ACL Rules Table section, click and the following page will appear.

Figure 2-10 Configuring the IP ACL Rule

Follow these steps to configure the IP ACL rule:

1)In the IP ACL Rule section, configure the following parameters:

Rule ID

Enter an ID number to identify the rule.

It should not be the same as any current rule ID in the same ACL. For the convenience of inserting new rules to an ACL, you should set the appropriate interval between rule IDs.

If you select Auto Assign, the rule ID will be assigned automatically by the system and the default increment between neighboring rule IDs is 5

Operation

Select an action to be taken when a packet matches the rule.

Permit: To forward the matched packets.

Deny: To discard the matched packets.

Fragment

With this option selected, the rule will be applied to all fragment packets except for the last fragment packet in the fragment packet group.

T1500 series, T1600G-18TS, T1600G-28TS, T1600G-28PS, T1600G-52TS v4 and T1600G-52PS v4 do not support this option.

S-IP/Mask

Enter the source IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.

D-IP/Mask

Enter the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.

IP Protocol

Select a protocol type from the drop-down list. The default is No Limit, which indicates that packets of all protocols will be matched. You can also select User-defined to customize the IP protocol.

TCP Flag

If TCP protocol is selected, you can configure the TCP Flag to be used for the rule’s matching operations. There are six flags and each has three options, which are *, 0 and 1. The default is *, which indicates that the flag is not used for matching operations.

URG: Urgent flag.

ACK: Acknowledge flag.

PSH: Push flag.

RST: Reset flag.

SYN: Synchronize flag.

FIN: Finish flag.

S-Port / D-Port

If TCP/UDP is selected as the IP protocol, specify the source and destination port number with a mask.

Value: Specify the port number.

Mask: Specify the port mask with 4 hexadacimal numbers.

DSCP

Specify a DSCP value to be matched between 0 and 63. The default is No Limit.

IP ToS

Specify an IP ToS value to be matched between 0 and 15. The default is No Limit.

IP Pre

Specify an IP Precedence value to be matched to be matched between 0 and 7. The default is No Limit.

Time Range

Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM > Time Range page.

Logging

Enable Logging function for the ACL rule. Then the times that the rule is matched will be logged every 5 minutes and a related trap will be generated. You can refer to Total Matched Counter in the ACL Rules Table to view the matching times.

2)In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored.

Figure 2-11 Configuring Mirroring

3)In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected.

Figure 2-12 Configuring Redirect

Note:

In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port.

4)In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters.

Figure 2-13 Configuring Rate Limit

Rate

Specify the transmission rate for the matched packets.

Burst Size

Specify the maximum number of bytes allowed in one second.

Out of Band

Select the action for the packets whose rate is beyond the specified rate.

None: The packets will be forwarded normally.

Drop: The packets will be discarded.

Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS, T1600G-28PS, T1600G-52TS v4 and T1600G-52PS v4 do not support this option.

5)In the Policy section, enable or disable the QoS Remark feature for the matched packets. With this option enabled, configure the related parameters, and the remarked values will take effect in the QoS processing on the switch.

Figure 2-14 Configuring QoS Remark

DSCP

Specify the DSCP field for the matched packets. The DSCP field of the packets will be changed to the specified one.

Local Priority

Specify the local priority for the matched packets. The local priority of the packets will be changed to the specified one.

802.1p Priority

Specify the 802.1p priority for the matched packets. The 802.1p priority of the packets will be changed to the specified one.

6)Click Apply.

Configuring Combined ACL Rule

Click Edit ACL for a Combined ACL entry to load the following page.

Figure 2-15 Configuring the Combined ACL Rule

In ACL Rules Table section, click and the following page will appear.

Figure 2-16 Configuring the Combined ACL Rule

Follow these steps to configure the Combined ACL rule:

1)In the Combined ACL Rule section, configure the following parameters:

Rule ID

Enter an ID number to identify the rule.

It should not be the same as any current rule ID in the same ACL. For the convenience of inserting new rules to an ACL, you should set the appropriate interval between rule IDs.

If you select Auto Assign, the rule ID will be assigned automatically by the system and the default increment between neighboring rule IDs is 5

Operation

Select an action to be taken when a packet matches the rule.

Permit: To forward the matched packets.

Deny: To discard the matched packets.

S-MAC/Mask

Enter the source MAC address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.

D-MAC/Mask

Enter the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.

VLAN ID

Enter the ID number of the VLAN with which packets will match. The valid range is 1-4094. If the ACL is bound to a VLAN, the system requires the VLAN ID of a packet to match the ID of the VLAN instead of the ID listed here.

EtherType

Specify the EtherType to be matched using 4 hexadecimal numbers.

S-IP/Mask

Enter the source IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.

D-IP/Mask

Enter the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.

IP Protocol

Select a protocol type from the drop-down list. The default is No Limit, which indicates that packets of all protocols will be matched. You can also select User-defined to customize the IP protocol.

TCP Flag

If TCP protocol is selected, you can configure the TCP Flag to be used for the rule’s matching operations. There are six flags and each has three options, which are *, 0 and 1. The default is *, which indicates that the flag is not used for matching operations.

URG: Urgent flag.

ACK: Acknowledge flag.

PSH: Push flag.

RST: Reset flag.

SYN: Synchronize flag.

FIN: Finish flag.

S-Port / D-Port

If TCP/UDP is selected as the IP protocol, specify the source and destination port number with a mask.

Value: Specify the port number.

Mask: Specify the port mask with 4 hexadacimal numbers.

DSCP

Specify a DSCP value to be matched between 0 and 63. The default is No Limit.

IP ToS

Specify an IP ToS value to be matched between 0 and 15. The default is No Limit.

IP Pre

Specify an IP Precedence value to be matched to be matched between 0 and 7. The default is No Limit.

User Priority

Specify the User Priority to be matched.

Time Range

Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM > Time Range page.

Logging

Enable Logging function for the ACL rule. Then the times that the rule is matched will be logged every 5 minutes and a related trap will be generated. You can refer to Total Matched Counter in the ACL Rules Table to view the matching times.

2)In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored.

Figure 2-17 Configuring Mirroring

3)In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected.

Figure 2-18 Configuring Redirect

Note:

In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port.

4)In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters.

Figure 2-19 Configuring Rate Limit

Rate

Specify the transmission rate for the matched packets.

Burst Size

Specify the maximum number of bytes allowed in one second.

Out of Band

Select the action for the packets whose rate is beyond the specified rate.

None: The packets will be forwarded normally.

Drop: The packets will be discarded.

Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS, T1600G-28PS, T1600G-52TS v4 and T1600G-52PS v4 do not support this option.

5)In the Policy section, enable or disable the QoS Remark feature for the matched packets. With this option enabled, configure the related parameters, and the remarked values will take effect in the QoS processing on the switch.

Figure 2-20 Configuring QoS Remark

DSCP

Specify the DSCP field for the matched packets. The DSCP field of the packets will be changed to the specified one.

Local Priority

Specify the local priority for the matched packets. The local priority of the packets will be changed to the specified one.

802.1p Priority

Specify the 802.1p priority for the matched packets. The 802.1p priority of the packets will be changed to the specified one.

6)Click Apply.

Configuring the IPv6 ACL Rule

Click Edit ACL for an IPv6 ACL entry to load the following page.

Figure 2-21 Configuring the IPv6 ACL Rule

In ACL Rules Table section, click and the following page will appear.

Figure 2-22 Configuring the IPv6 ACL Rule

Follow these steps to configure the IPv6 ACL rule:

1)In the IPv6 ACL Rule section, configure the following parameters:

Rule ID

Enter an ID number to identify the rule.

It should not be the same as any current rule ID in the same ACL. For the convenience of inserting new rules to an ACL, you should set the appropriate interval between rule IDs.

If you select Auto Assign, the rule ID will be assigned automatically by the system and the default increment between neighboring rule IDs is 5

Operation

Select an action to be taken when a packet matches the rule.

Permit: To forward the matched packets.

Deny: To discard the matched packets.

IPv6 Class

Specify an IPv6 class value to be matched. The switch will check the class field of the IPv6 header.

Flow Label

Specify a Flow Label value to be matched.

IPv6 Source IP

Enter the source IPv6 address to be matched. All types of IPv6 address will be checked. You may enter a complete 128-bit IPv6 address but only the first 64 bits will be valid.

Mask

The mask is required if the source IPv6 address is entered. Enter the mask in complete format (for example, FFFF:FFFF:0000:FFFF).

The IP address mask specifies which bits in the source IPv6 address to match the rule. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.

IPv6 Destination IP

Enter the destination IPv6 address to be matched. All types of IPv6 address will be checked. You may enter a complete 128-bit IPv6 address but only the first 64 bits will be valid.

Mask

The mask is required if the destination IPv6 address is entered. Enter the complete mask (for example, FFFF:FFFF:0000:FFFF).

The IP address mask specifies which bits in the source IP address to match the rule. A value of 1 in the mask indicates that the corresponding bit in the address will be matched.

IP Protocol

Select a protocol type from the drop-down list.

No Limit: Packets of all protocols will be matched.

UDP: Specify the source port and destination port for the UDP packet to be matched.

TCP: Specify the source port and destination port for the TCP packet to be matched.

User-defined: You can customize an IP protocol.

S-Port / D-Port

If TCP/UDP is selected as the IP protocol, specify the source and destination port numbers.

Time Range

Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM > Time Range page.

2)In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored.

Figure 2-23 Configuring Mirroring

3)In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected.

Figure 2-24 Configuring Redirect

Note:

In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port.

4)In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters.

Figure 2-25 Configuring Rate Limit

Rate

Specify the transmission rate for the matched packets.

Burst Size

Specify the maximum number of bytes allowed in one second.

Out of Band

Select the action for the packets whose rate is beyond the specified rate.

None: The packets will be forwarded normally.

Drop: The packets will be discarded.

Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS, T1600G-28PS, T1600G-52TS v4 and T1600G-52PS v4 do not support this option.

5)In the Policy section, enable or disable the QoS Remark feature for the matched packets. With this option enabled, configure the related parameters, and the remarked values will take effect in the QoS processing on the switch.

Figure 2-26 Configuring QoS Remark

DSCP

Specify the DSCP field for the matched packets. The DSCP field of the packets will be changed to the specified one.

Local Priority

Specify the local priority for the matched packets. The local priority of the packets will be changed to the specified one.

802.1p Priority

Specify the 802.1p priority for the matched packets. The 802.1p priority of the packets will be changed to the specified one.

6)Click Apply.

Configuring the Packet Content ACL Rule

Only T2600G series support this feature.

Click Edit ACL for a Packet Content ACL entry to load the following page.

Enter the offset of a chunk. Packet Content ACL analyzes and processes data packets based on 4 chunk match conditions, and each chunk can specify a user-defined 4-byte segment carried in the packet’s first 128 bytes. Offset 31 matches the 127, 128, 1, 2 bytes of the packet, offset 0 matches the 3,4,5,6 bytes of the packet, and so on, for the rest of the offset value.

Note: All 4 chunks must be set at the same time.

In ACL Rules Table section, click and the following page will appear.

Figure 2-28 Configuring the Packet Content ACL Rule

Follow these steps to configure the Packet Content ACL rule:

1)In the Packet Content Rule section, configure the following parameters:

Rule ID

Enter an ID number to identify the rule.

It should not be the same as any current rule ID in the same ACL. For the convenience of inserting new rules to an ACL, you should set the appropriate interval between rule IDs.

If you select Auto Assign, the rule ID will be assigned automatically by the system and the default increment between neighboring rule IDs is 5

Operation

Select an action to be taken when a packet matches the rule.

Permit: To forward the matched packets.

Deny: To discard the matched packets.

Chunk0-Chunk3

Specify the EtherType to be matched using 4 hexadecimal numbers.

Chunk Value

Enter the 4-byte value in hexadecimal for the desired chunk, like ‘0000ffff’. The Packet Content ACL will check this chunk of packets to examine if the packets match the rule or not.

Chunk Mask

Enter the 4-byte mask in hexadecimal for the desired chunk. The mask must be written completely in 4-byte hex mode, like ‘0000ffff’. The mask specifies which bits to match the rule.

Time Range

Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM > Time Range page.

Logging

Enable Logging function for the ACL rule. Then the times that the rule is matched will be logged every 5 minutes and a related trap will be generated. You can refer to Total Matched Counter in the ACL Rules Table to view the matching times.

2)In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored.

Figure 2-29 Configuring Mirroring

3)In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected.

Figure 2-30 Configuring Redirect

Note:

In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port.

4)In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters.

Figure 2-31 Configuring Rate Limit

Rate

Specify the transmission rate for the matched packets.

Burst Size

Specify the maximum number of bytes allowed in one second.

Out of Band

Select the action for the packets whose rate is beyond the specified rate.

None: The packets will be forwarded normally.

Drop: The packets will be discarded.

Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets will be changed to the specified one.

5)In the Policy section, enable or disable the QoS Remark feature for the matched packets. With this option enabled, configure the related parameters, and the remarked values will take effect in the QoS processing on the switch.

Figure 2-32 Configuring QoS Remark

DSCP

Specify the DSCP field for the matched packets. The DSCP field of the packets will be changed to the specified one.

Local Priority

Specify the local priority for the matched packets. The local priority of the packets will be changed to the specified one.

802.1p Priority

Specify the 802.1p priority for the matched packets. The 802.1p priority of the packets will be changed to the specified one.

6)Click Apply.

Viewing the ACL Rules

The rules in an ACL are listed in ascending order of their rule IDs. The switch matches a received packet with the rules in order. When a packet matches a rule, the switch stops the match process and performs the action defined in the rule.

Click Edit ACL for an entry you have created and you can view the rule table. We take IP ACL rules table for example.

Figure 2-33 Viewing ACL Rules Table

Here you can view and edit the ACL rules. You can also click Resequence to resequence the rules by providing a Start Rule ID and Step value.

2.1.4Configuring ACL Binding

You can bind the ACL to a port or a VLAN. The received packets on the port or in the VLAN will then be matched and processed according to the ACL rules. An ACL takes effect only after it is bound to a port or VLAN.

Note:

Different types of ACLs cannot be bound to the same port or VLAN.

Multiple ACLs of the same type can be bound to the same port or VLAN. The switch matches the received packets using the ACLs in order. The ACL that is bound earlier has a higher priority.

1)Choose ID or Name to be used for matching the ACL. Then select an ACL from the drop-down list.

2)Enter the ID of the VLAN to be bound.

3)Click Create.

2.2Using the CLI

2.2.1Configuring Time Range

Some ACL-based services or features may need to be limited to take effect only during a specified time period. In this case, you can configure a time range for the ACL. For details about Time Range Configuration, please refer to Managing System.

2.2.2Configuring ACL

Follow the steps to create different types of ACL and configure the ACL rules.

You can define the rules based on source or destination IP address, source or destination MAC address, protocol type, port number and others.

acl-id-or-name: Enter the ID or name of the ACL that you want to add a rule for.

auto: The rule ID will be assigned automatically and the interval between rule IDs is 5.

rule-id: Assign an ID to the rule.

deny | permit: Specify the action to be taken with the packets that match the rule. By default, it is set to permit. The packets will be discarded if “deny” is selected and forwarded if “permit” is selected.

logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter trap enabled, a related trap will be generated if the matching times changes.

source-mac: Enter the source MAC address. The format is FF:FF:FF:FF:FF:FF.

source-mac-mask: Enter the mask of the source MAC address. This is required if a source MAC address is entered. The format is FF:FF:FF:FF:FF:FF.

destination-mac: Enter the destination MAC address. The format is FF:FF:FF:FF:FF:FF.

destination-mac-mask: Enter the mask of the destination MAC address. This is required if a destination MAC address is entered. The format is FF:FF:FF:FF:FF:FF.

ether-type: Specify an Ethernet-type with 4 hexadecimal numbers.

dot1p-priority: The user priority ranges from 0 to 7. The default is No Limit.

vlan-id: The VLAN ID ranges from 1 to 4094.

time-range-name: The name of the time-range. The default is No Limit.

Step 4

exit

Return to global configuration mode.

Step 5

show access-list [ acl-id-or-name ]

Display the current ACL configuration.

acl-id-or-name: The ID number or name of the ACL.

Step 6

end

Return to privileged EXEC mode.

Step 7

copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to create MAC ACL 50 and configure Rule 5 to permit packets with source MAC address 00:34:A2:D4:34:B5:

acl-id-or-name: Enter the ID or name of the ACL that you want to add a rule for.

auto: The rule ID will be assigned automatically and the interval between rule IDs is 5.

rule-id: Assign an ID to the rule.

deny | permit: Specify the action to be taken with the packets that match the rule. Deny means to discard; permit means to forward. By default, it is set to permit.

logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter trap enabled, a related trap will be generated if the matching times changes.

sip-address: Enter the source IP address.

sip-address-mask: Enter the mask of the source IP address. This is required if a source IP address is entered.

dip-address: Enter the destination IP address.

dip-address-mask: Enter the mask of the destination IP address. This is required if a destination IP address is entered.

dscp-value: Specify the DSCP value between 0 and 63.

tos-value: Specify an IP ToS value to be matched between 0 and 15.

pre-value: Specify an IP Precedence value to be matched between 0 and 7.

frag {enable | disable}: Enable or disable matching of fragmented packets. The default is disable. When enabled, the rule will apply to all fragmented packets and always permit to forward the last fragment of a packet. T1500 series, T1600G-18TS, T1600G-28TS, T1600G-28PS, T1600G-52TS v4 and T1600G-52PS v4 do not support this option.

protocol: Specify a protocol number between 0 and 255.

s-port-number: With TCP or UDP configured as the protocol, specify the source port number.

s-port-mask: With TCP or UDP configured as the protocol, specify the source port mask with 4 hexadacimal numbers.

d-port-number: With TCP or UDP configured as the protocol, specify the destination port number.

d-port-mask: With TCP or UDP configured as the protocol, specify the destination port mask with 4 hexadacimal numbers.

tcpflag: With TCP configured as the protocol, specify the flag value using either binary numbers or * (for example, 01*010*). The default is *, which indicates that the flag will not be matched.

acl-id-or-name: Enter the ID or name of the ACL that you want to add a rule for.

auto: The rule ID will be assigned automatically and the interval between rule IDs is 5.

rule-id: Assign an ID to the rule.

deny | permit: Specify the action to be taken with the packets that match the rule. Deny means to discard; permit means to forward. By default, it is set to permit.

logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter trap enabled, a related trap will be generated if the matching times changes.

source-mac-address: Enter the source MAC address.

source-mac-mask: Enter the source MAC address mask.

dest-mac-address: Enter the destination MAC address.

dest-mac-mask: Enter the destination MAC address mask. This is required if a destination MAC address is entered.

vlan-id: The VLAN ID ranges from 1 to 4094.

ether-type: Specify the Ethernet-type with 4 hexadecimal numbers.

priority: The user priority ranges from 0 to 7. The default is No Limit.

sip-address: Enter the source IP address.

sip-address-mask: Enter the mask of the source IP address. It is required if source IP address is entered.

dip-address: This is required if a source IP address is entered.

dip-address-mask: Enter the destination IP address mask. This is required if a destination IP address is entered.

dscp-value: Specify the DSCP value between 0 and 63.

tos-value: Specify an IP ToS value to be matched between 0 and 15.

pre-value: Specify an IP Precedence value to be matched between 0 and 7.

protocol: Specify a protocol number between 0 and 255.

s-port-number: With TCP or UDP configured as the protocol, specify the source port number.

s-port-mask: With TCP or UDP configured as the protocol, specify the source port mask with 4 hexadacimal numbers.

d-port-number: With TCP or UDP configured as the protocol, specify the destination port number.

d-port-mask: With TCP or UDP configured as the protocol, specify the destination port mask with 4 hexadacimal numbers.

tcpflag: With TCP configured as the protocol, specify the flag value using either binary numbers or * (for example, 01*010*). The default is *, which indicates that the flag will not be matched.

acl-id-or-name: Enter the ID or name of the ACL that you want to add a rule for.

auto: The rule ID will be assigned automatically and the interval between rule IDs is 5.

rule-id: Assign an ID to the rule.

deny | permit: Specify the action to be taken with the packets that match the rule. Deny means to discard; permit means to forward. By default, it is set to permit.

logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter trap enabled, a related trap will be generated if the matching times changes.

class-value: Specify a class value to be matched. It ranges from 0 to 63.

flow-label-value: Specify a Flow Label value to be matched.

source-ip-address: Enter the source IP address. Enter the destination IPv6 address to be matched. All types of IPv6 address will be checked. You may enter a complete 128-bit IPv6 address but only the first 64 bits will be valid.

source-ip-mask: Enter the source IP address mask. The mask is required if the source IPv6 address is entered. Enter the mask in complete format (for example, ffff:ffff:0000:ffff). The mask specifies which bits in the source IPv6 address to match the rule.

destination-ip-address: Enter the destination IPv6 address to be matched. All types of IPv6 address will be checked. You may enter a complete 128-bit IPv6 addresses but only the first 64 bits will be valid.

destination-ip-mask: Enter the source IP address mask. The mask is required if the source IPv6 address is entered. Enter the mask in complete format (for example, ffff:ffff:0000:ffff). The mask specifies which bits in the source IPv6 address to match the rule.

Specify the offset of each chunk, all the 4 chunks must be set at the same time.

offset0 -offset3: Specify the offset of each chunk, the value ranges from 0 to 31. When the offset is set as 31, it matches the first 127,128, 1, 2 bytes of the packet; when the offset is set as 0, it matches the 3, 4, 5, 6 bytes, and so on, for the rest of the offset value.

acl-id-or-name: Enter the ID or name of the ACL that you want to add a rule for.

auto: The rule ID will be assigned automatically and the interval between rule IDs is 5.

rule-id: Assign an ID to the rule.

deny | permit: Specify the action to be taken with the packets that match the rule. Deny means to discard; permit means to forward. By default, it is set to permit.

logging { enable | disable} : Enable or disable Logging function for the ACL rule. If "enable" is selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter trap enabled, a related trap will be generated if the matching times changes.

value: Enter the 4-byte value in hexadecimal for the desired chunk, like ‘0000ffff’. The Packet Content ACL will check this chunk of packets to examine if the packets match the rule or not.

mask: Enter the 4-byte mask in hexadecimal for the desired chunk. The mask must be written completely in 4-byte hex mode, like ‘0000ffff’. The mask specifies which bits to match the rule.

time-range-name: The name of the time-range. The default is No Limit.

Step 5

end

Return to privileged EXEC mode.

Step 6

copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to create Packet Content ACL 2000, and deny the packets with the value of its chunk1 0x58:

(Optional) Define the policy to monitor the rate of the matched packets.

rate: Specify a rate from 1 to 1000000 kbps.

burst-size: Specify the number of bytes allowed in one second ranging from 1 to 128.

osd: Select either “none”, “discard” or “remark dscp” as the action to be taken for the packets whose rate is beyond the specified rate. The default is None. When “remark dscp” is selected, you also need to specify the DSCP value for the matched packets. The DSCP value ranges from 0 to 63. T1500 series, T1600G-18TS, T1600G-28TS, T1600G-28PS, T1600G-52TS v4 and T1600G-52PS v4 do not support DSCP option.

qos-remark [dscpdscp] [ prioritypri ] [ dot1p pri ]

(Optional) Define the policy to remark priority for the matched packets.

dscp: Specify the DSCP region for the data packets. The value ranges from 0 to 63.

prioritypri: Specify the local priority for the data packets. The value ranges from 0 to 7.

dot1p pri: Specify the 802.1p priority for the data packets. The value ranges from 0 to 7.

Step 4

end

Return to privileged EXEC mode.

Step 5

copy running-config startup-config

Save the settings in the configuration file.

Redirect the matched packets to port 1/0/4 for rule 1 of MAC ACL 10:

Switch#configure

Switch(config)#access-list action 10 rule 1

Switch(config-action)#redirect interface gigabitEthernet 1/0/4

Switch(config-action)#exit

Switch(config)#show access-list 10

MAC access list 10 name: ACL_10

rule 5 permit logging disable action redirect Gi1/0/4

Switch(config)#end

Switch#copy running-config startup-config

2.2.4Configuring ACL Binding

You can bind the ACL to a port or a VLAN. The received packets on the port or in the VLAN will then be matched and processed according to the ACL rules. An ACL takes effect only after it is bound to a port or VLAN.

Note:

Different types of ACLs cannot be bound to the same port or VLAN.

Multiple ACLs of the same type can be bound to the same port or VLAN. The switch matches the received packets using the ACLs in order. The ACL that is bound earlier has a higher priority.

You can use the following command to view the number of matched packets of each ACL in the privileged EXEC mode and any other configuration mode:

show access-list acl-id-or-name counter

View the number of matched packets of the specific ACL.

acl-id-or-name: Specify the ID or name of the ACL to be viewed.

3Configuration Example for ACL

3.1Configuration Example for MAC ACL

3.1.1Network Requirements

A company forbids the employees in the R&D department to visit the internal forum during work hours. While the manager of the R&D department can get access to the internal forum without limitation.

As shown below, the internal forum server is connected to the switch via port 1/0/1, and computers in the R&D department are connected to the switch via port 1/0/2.

Figure 3-1 Network Topology

3.1.2Configuration Scheme

To meet the requirements above, you can set up packet filtering by creating an MAC ACL and configuring rules for it.

Time Range Configuration

Create a time range entry for the work hour of the company. Apply the time range to the ACL rule which blocks the access to internal forum server.

ACL Configuration

Create a MAC ACL and configure the following rules for it:

Configure a permit rule to match packets with source MAC address 8C-DC-D4-40-A1-79 and destination MAC address 40-61-86-FC-71-56. This rule allows the manager of R&D department to visit internal forum at any time.

Configure a deny rule to match packets with destination MAC address 40-61-86-FC-71-56 and apply the time range of work hours. This rule forbids the employees in the R&D department to visit the internal forum during work hours.

Configure a permit rule to match all the packets that do not match neither of the above rules.

Binding Configuration

Bind the MAC ACL to port 1/0/2 so that the ACL rules will be applied to the computer of the devices in the R&D department which are restricted to the internal forum during work hours.

Demonstrated with T2600G-28TS, the following sections explain the configuration procedure in two ways: using the GUI and using the CLI.

3.1.3Using the GUI

1)Choose the menu SYSTEM > Time Range > Time Range Config and click to load the following page. Create a time range named Work_time.

Figure 3-2 Configuring Time Range

2)In the Period Time Config section, click and the following window will pop up. Add the work hour of the company in the Period Time and click Save.

Figure 3-3 Adding Period Time

3)After adding the Period Time, click Create tosave the time range entry.

Figure 3-4 Creating Time Range

4)Choose the menu SECURITY > ACL > ACL Config and click to load the following page. Then create a MAC ACL for the marketing department.

As shown below, a company’s internal server group can provide different types of services. Computers in the Marketing department are connected to the switch via port 1/0/1, and the internal server group is connected to the switch via port 1/0/2.

Figure 3-12 Network Topology

It is required that:

The Marketing department can only access internal server group in the intranet.

The Marketing department can only visit http and https websites on the internet.

3.2.2Configuration Scheme

To meet the requirements above, you can set up packet filtering by creating an IP ACL and configuring rules for it.

Configure four permit rules to match the packets with source IP address 10.10.70.0/24, and destination ports TCP 80, TCP 443 and TCP/UDP 53. These allow the Marketing department to visit http and https websites on the internet.

Configure a deny rule to match the packets with source IP address 10.10.70.0/24. This rule blocks other network services.

The switch matches the packets with the rules in order, starting with Rule 1. If a packet matches a rule, the switch stops the matching process and initiates the action defined in the rule.

Binding Configuration

Bind the IP ACL to port 1/0/1 so that the ACL rules will apply to the Marketing department only.

Demonstrated with T2600G-28TS, the following sections explain the configuration procedure in two ways: using the GUI and using the CLI.

3.2.3Using the GUI

1)Choose the menu SECURITY > ACL > ACL Config and click to load the following page. Then create an IP ACL for the marketing department.

To enhance network security, a company requires that only the network administrator can log in to the switch through Telnet connection. The computers are connected to the switch via port 1/0/2. The network topology is shown as below.

Figure 3-23 Network Topology

3.3.2Configuration Scheme

To meet the requirements above, you can set up packet filtering by creating a Combined ACL and configuring rules for it.

ACL Configuration

Create a Combined ACL and configure the following rules for it:

Configure a permit rule to match packets with source MAC address 6C-62-6D-F5-BA-48, and destination port TCP 23. This rule allows the computer of the network administrator to access the switch through Telnet connection.

Configure a deny rule to match all the packets except the packets with source MAC address 6C-62-6D-F5-BA-48 and destination port TCP 23. This rule blocks the Telnet connection to the switch of other computers.

Configure a permit rule to match all the packets. This rule allows that other devices are given the network services except Telnet connection.

The switch matches the packets with the rules in order, starting with Rule 1. If a packet matches a rule, the switch stops the matching process and initiates the action defined in the rule.

Binding Configuration

Bind the Combined ACL to port 1/0/2 so that the ACL rules will be applied to the computer of the network administrator and the devices which are restricted to Telnet connection.

Demonstrated with T2600G-28TS, the following sections explain the configuration procedure in two ways: using the GUI and using the CLI.

3.3.3Using the GUI

1)Choose the menu SECURITY > ACL > ACL Config and click to load the following page. Then create a Combined ACL for the marketing department.